IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Overwhelmed security office manual compliance slow automation
#
Digital Transformation
#
Partner Programmes
#
RPA

Manual compliance strain fuels automation push - survey

Wed, 21st Jan 2026
Author image
By Catherine Knowles, News Editor

RegScale has published the second edition of its State of Continuous Controls Monitoring report, with survey findings that point to widespread delays and resourcing pressure in governance, risk and compliance work.

The report found that 83% of organisations experienced moderate or major delays linked to manual compliance work. It also said 53% assigned the equivalent of one full-time employee to evidence collection.

"Compliance and security teams are doing everything they can, but the human burden has become unsustainable," said Dale Hoak, CISO, RegScale.
"This year's findings highlight that organizations are delaying critical activities, struggling to monitor controls in real time, and relying on legacy manual processes that directly undermine security readiness. Continuous Controls Monitoring is the bridge that helps teams reduce labor, improve visibility, and ultimately modernize and strengthen resilience in an increasingly complex environment."

Resource strain

The report said resource constraints now shape decisions on what compliance teams can sustain. It found that 85% of organisations delayed or eliminated legacy GRC activities because of resourcing limits.

Within that group, 44% postponed control testing and monitoring. The report also found that 33% postponed policy updates and governance reviews. It said 25% cited a lack of skilled employees as a major barrier.

The findings point to backlogs in areas that many security and risk leaders treat as routine. They also suggest that organisations face choices between maintaining existing governance cycles and reallocating people to meet audit and regulatory demands.

Automation gap

The report described broad adoption of automation, with uneven progress towards fully automated workflows. It found that 95% of organisations had implemented some level of automation in GRC. Only 4% reported full end-to-end automation.

Continuous monitoring remained limited. The report found that 28% monitored security controls continuously in real time. It said 72% still used periodic assessments.

It also examined the use of AI in compliance operations. The report found that 64% reported significant or transformational improvement from AI adoption. The data did not indicate that AI use translated into a majority shift to end-to-end automation.

Risk signals

The report linked manual processes to operational stress in security and compliance teams. It also framed real-time compliance and security work as increasingly aligned requirements for organisations that face multiple frameworks and growing regulatory scrutiny.

RegScale said the research covered board-level reporting and metrics, industry-specific compliance challenges, regulatory complexity, and changes in governance models. The company positioned continuous controls monitoring as a response to these pressures.

The survey ran in September and October 2025 and included 253 information security leaders. Respondents included CISOs, CIOs, Chief Risk Officers, and VPs and Directors of Security.

The sample focused on organisations with more than 1,000 employees and included financial services, healthcare, technology, retail, government, business services, and manufacturing.

One of the report's themes is the operational cost of manual evidence collection and fragmented data. The survey results indicate that evidence work still absorbs dedicated staffing in many organisations. This sits alongside continued reliance on periodic testing rather than continuous control checks.

Roland Cloutier, a former Global CISO and CSO and a Strategic Advisor to RegScale, linked delays in automation to downstream consequences for audit outcomes and risk management.

"Having led security operations at global companies, I've seen firsthand how manual compliance processes create cascading failures," said Cloutier. "Every day an organization delays automation, they're making an implicit choice: pay now in tech investments, or pay later in time, audit findings, and organizational risk."

RegScale said it will discuss the report findings in a webinar later this month.

Related stories
Synology gains ISO 27001:2022 for security management
Interactive & Ansvar mark 15 years of tech partnership
DroneShield names Michael Powell new chief operating officer
NEXTDC names Jodi Pearce Alliance Director for AI push
UKG names Paul Broughton Asia Pacific managing director

Top stories

AI pushes dense, decentralised & sustainable data centres
myFirst expands kid-safe tech ecosystem with Circle app
NTT DATA maps six AI trends shaping mass intelligence
How seamlessly connected tech will shape business 2026
Australians turn to AI for love as dating scams surge